From 95bef00054ccdf46b940f8a7a6f93b011366c733 Mon Sep 17 00:00:00 2001
From: Bruno Windels <brunow@matrix.org>
Date: Fri, 8 Mar 2019 20:03:47 +0100
Subject: [PATCH] some comments

---
 src/matrix/hs-api.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/matrix/hs-api.js b/src/matrix/hs-api.js
index e54b66f6..07e9babc 100644
--- a/src/matrix/hs-api.js
+++ b/src/matrix/hs-api.js
@@ -21,7 +21,9 @@ class RequestWrapper {
 
 export default class HomeServerApi {
 	constructor(homeserver, accessToken) {
-		this._homeserver = homeserver;
+        // store these both in a closure somehow so it's harder to get at in case of XSS?
+        // one could change the homeserver as well so the token gets sent there, so both must be protected from read/write
+        this._homeserver = homeserver;
 		this._accessToken = accessToken;
 	}